Tuesday, November 10, 2009

Ubuntu 9.10 Is Out!

Ubuntu 9.10 (nicked named Karmic Kuala) is out and it has number of security improvements (over the previous version) that I would like to highlight:

AppArmor - AppArmor was introduced earlier that Karmic Kuala; In this release, it features an improved parser that uses cache files, greatly speeding up initialisation on boot making it less likely to be switched off by users, and a bunch of additional profiles.

Uncomplicated Firewall - Another "not new" feature which now supports filtering by interface and egress filtering.

Non-eXecutable Emulation - Non-eXecutable (NX) memory protection, also known as eXecute-Disable (XD), can help block many exploits an attacker might run from stack or heap memory. The 32-bit PAE desktop kernel (linux-image-generic-pae) now also provides the PAE mode needed for hardware with the NX CPU feature. For systems that lack NX hardware, the 32-bit kernels now provide an approximation of the NX CPU feature via software emulation.

Blocking Module Loading - To block the loading of any further modules after boot, the /proc/sys/kernel/modules_disabled one-way sysctl flag now exists to add another layer of protections against attackers loading kernel rootkits.

Position-Independent Executables - All programs built as Position Independent Executables (PIE) with "-fPIE -pie" (gcc -pie -fPIE) can take advantage of the exec Address Space Layout Randomisation(ASLR). This protects against "return-to-text" and generally frustrates memory corruption attacks.